Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
ember-purify
Advanced tools
Readme
When you need to render user provided HTML content but don't want to trust the user content with Ember's Ember.String.htmlSafe
or {{{ }}}
.
Uses DOMPurify to sanitize HTML & SVG. I strongly recommend you watch the video linked under the inspiration section. See XSS in action in Ember in this twiddle.
You can also run ember serve
to see the above mentioned approaches along with the purify-dom
helper. Inspect the DOM on all three broken images to see the difference.
ember install ember-purify
For templates,
{{purify-dom '<img src="missing-image.png" onerror=alert(1)//>'}}
will render
<img src="missing-image.png">
To use it in js,
import { sanitize } from 'dompurify';
Note that global config isn't applied to the functions imported in JS.
Details on DOMPurify, the underlying library can be found in its README
To configure the purify helper globally in your app's config/environment.js
,
ENV.APP.purify = {
// Refer to various config options in DOMPurify's README
};
In addition to the global configuration you can also pass the config to the helper which can either be merged to the global config(by default) or replaced(by passing overrideConfig=true)
{{purify-dom "<img src='google.com' data-something='dangerous'>" config=(hash ALLOW_DATA_ATTR=false) overrideConfig=true}}
Securing your EmberJS Application talk By Philippe De Ryck.
git clone <repository-url>
this repositorycd ember-purify
npm install
or yarn
ember serve
npm test
(Runs ember try:each
to test your addon against multiple Ember versions)ember test
ember test --server
ember build
For more information on using ember-cli, visit http://ember-cli.com/.
FAQs
Ember addon to help purify DOM content
The npm package ember-purify receives a total of 110 weekly downloads. As such, ember-purify popularity was classified as not popular.
We found that ember-purify demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.